UbuntuUpdates.org

Package "qemu"

Name: qemu

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • extra block backend modules for qemu-system and qemu-utils
  • QEMU Full virtualization on x86 hardware
  • QEMU full system emulation binaries (arm)
  • QEMU full system emulation binaries (common files)

Latest version: 1:2.11+dfsg-1ubuntu7.40
Release: bionic (18.04)
Level: updates
Repository: main

Links



Other versions of "qemu" in Bionic

Repository Area Version
base main 1:2.11+dfsg-1ubuntu7
base universe 1:2.11+dfsg-1ubuntu7
security main 1:2.11+dfsg-1ubuntu7.40
security universe 1:2.11+dfsg-1ubuntu7.40
updates universe 1:2.11+dfsg-1ubuntu7.40

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:2.11+dfsg-1ubuntu7.40 2022-06-21 17:06:22 UTC

  qemu (1:2.11+dfsg-1ubuntu7.40) bionic-security; urgency=medium

  * SECURITY UPDATE: heap overflow in floppy disk emulator
    - debian/patches/CVE-2021-3507.patch: prevent end-of-track overrun in
      hw/block/fdc.c.
    - CVE-2021-3507
  * SECURITY UPDATE: integer overflow in QXL display device emulation
    - debian/patches/CVE-2021-4206.patch: check width and height in
      hw/display/qxl-render.c, hw/display/vmware_vga.c, ui/cursor.c.
    - CVE-2021-4206
  * SECURITY UPDATE: heap overflow in QXL display device emulation
    - debian/patches/CVE-2021-4207.patch: fix race condition in qxl_cursor
      in hw/display/qxl-render.c.
    - CVE-2021-4207
  * SECURITY UPDATE: memory leakage in virtio-net device
    - debian/patches/CVE-2022-26353.patch: fix map leaking on error during
      receive in hw/net/virtio-net.c.
    - CVE-2022-26353
  * SECURITY UPDATE: memory leakage in vhost-vsock device
    - debian/patches/CVE-2022-26354.patch: detach the virqueue element in
      case of error in hw/virtio/vhost-vsock.c.
    - CVE-2022-26354

 -- Marc Deslauriers <email address hidden> Thu, 09 Jun 2022 11:37:25 -0400

Source diff to previous version
CVE-2021-3507 A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block
CVE-2021-4206 A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a smal
CVE-2021-4207 A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.he
CVE-2022-26353 A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the c
CVE-2022-26354 A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memor

Version: 1:2.11+dfsg-1ubuntu7.39 2022-02-28 15:06:21 UTC

  qemu (1:2.11+dfsg-1ubuntu7.39) bionic-security; urgency=medium

  * SECURITY UPDATE: crash or code exec in USB redirector device emulation
    - debian/patches/CVE-2021-3682.patch: fix free call in
      hw/usb/redirect.c.
    - CVE-2021-3682
  * SECURITY UPDATE: heap use-after-free in virtio_net_receive_rcu
    - debian/patches/CVE-2021-3748.patch: fix use after unmap/free for sg
      in hw/net/virtio-net.c.
    - CVE-2021-3748
  * SECURITY UPDATE: off-by-one error in mode_sense_page()
    - debian/patches/CVE-2021-3930.patch: MODE_PAGE_ALLS not allowed in
      MODE SELECT commands in hw/scsi/scsi-disk.c.
    - CVE-2021-3930
  * SECURITY UPDATE: NULL dereference in floppy disk emulator
    - debian/patches/CVE-2021-20196-1.patch: Extract
      blk_create_empty_drive() in hw/block/fdc.c.
    - debian/patches/CVE-2021-20196-2.patch: kludge missing floppy drive in
      hw/block/fdc.c.
    - CVE-2021-20196
  * SECURITY UPDATE: integer overflow in vmxnet3 NIC emulator
    - debian/patches/CVE-2021-20203.patch: validate configuration values
      during activate in hw/net/vmxnet3.c.
    - CVE-2021-20203

 -- Marc Deslauriers <email address hidden> Wed, 23 Feb 2022 07:35:04 -0500

Source diff to previous version
CVE-2021-3682 A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfe
CVE-2021-3748 virtio-net: heap use-after-free in virtio_net_receive_rcu
CVE-2021-3930 An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the
CVE-2021-20196 A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the s
CVE-2021-20203 An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid

Version: 1:2.11+dfsg-1ubuntu7.38 2021-10-11 19:06:22 UTC

  qemu (1:2.11+dfsg-1ubuntu7.38) bionic; urgency=medium

  * enhance loading of old modules post upgrade (LP: #1913421)
    - d/qemu-block-extra.prerm.in: clear all (current and former) modules
      on purge
    - d/qemu-block-extra.prerm.in: test for exec and prepare /var/run/qemu
      if needed

 -- Christian Ehrhardt <email address hidden> Thu, 19 Aug 2021 14:30:25 +0200

Source diff to previous version
1913421 Load of pre-upgrade qemu modules needs to avoid noexec

Version: 1:2.11+dfsg-1ubuntu7.37 2021-07-15 19:06:25 UTC

  qemu (1:2.11+dfsg-1ubuntu7.37) bionic-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object
    - debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in
      hw/pci-host/prep.c.
    - debian/patches/CVE-2020-15469-3.patch: add quirk device write method
      in hw/vfio/pci-quirks.c.
    - debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in
      hw/ppc/prep_systemio.c.
    - debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in
      hw/ppc/spapr_pci.c.
    - CVE-2020-15469
  * SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation
    - debian/patches/CVE-2020-35504.patch: always check current_req is not
      NULL before use in DMA callbacks in hw/scsi/esp.c.
    - CVE-2020-35504
  * SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI
    - debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and
      current_dev is non-NULL in hw/scsi/esp.c.
    - CVE-2020-35505
  * SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator
    - debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending
      field in hw/scsi/mptsas.c, hw/scsi/mptsas.h.
    - CVE-2021-3392
  * SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation
    - debian/patches/CVE-2021-3409-1.patch: don't transfer any data when
      command time out in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD
      register when transfer is in progress in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-3.patch: correctly set the controller
      status for ADMA in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-4.patch: limit block size only when
      SDHC_BLKSIZE register is writable in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-5.patch: reset the data pointer of
      s->fifo_buffer[] when a different block size is programmed in
      hw/sd/sdhci.c.
    - CVE-2021-3409
  * SECURITY UPDATE: stack overflow via infinite loop issue in various NIC
    - debian/patches/CVE-2021-3416-1.patch: introduce qemu_receive_packet()
      in include/net/net.h, include/net/queue.h, net/net.c, net/queue.c.
    - debian/patches/CVE-2021-3416-2.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/e1000.c.
    - debian/patches/CVE-2021-3416-3.patch: switch to use
      qemu_receive_packet() for loopback packet in hw/net/dp8393x.c.
    - debian/patches/CVE-2021-3416-5.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/sungem.c.
    - debian/patches/CVE-2021-3416-6.patch: switch to use
      qemu_receive_packet_iov() for loopback in hw/net/net_tx_pkt.c.
    - debian/patches/CVE-2021-3416-7.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/rtl8139.c.
    - debian/patches/CVE-2021-3416-8.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/pcnet.c.
    - debian/patches/CVE-2021-3416-9.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/cadence_gem.c.
    - debian/patches/CVE-2021-3416-10.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/lan9118.c.
    - CVE-2021-3416
  * SECURITY UPDATE: DoS in USB redirector device
    - debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation
      in hw/usb/redirect.c.
    - debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB
      in hw/usb/combined-packet.c.
    - CVE-2021-3527
  * SECURITY UPDATE: out-of-bounds access issue in ARM Generic Interrupt
    Controller
    - debian/patches/CVE-2021-20221.patch: fix interrupt ID in GICD_SGIR
      register in hw/intc/arm_gic.c.
    - CVE-2021-20221
  * SECURITY UPDATE: infinite loop while processing transmit descriptors
    - debian/patches/CVE-2021-20257.patch: fail early for evil descriptor
      in hw/net/e1000.c.
    - CVE-2021-20257
  * SECURITY UPDATE: data leak in bootp_input()
    - debian/patches/CVE-2021-3592-pre1.patch: add sanity check for str
      option length to slirp/bootp.c.
    - debian/patches/CVE-2021-3592-1.patch: add mtod_check() to
      slirp/mbuf.*.
    - debian/patches/CVE-2021-3592-2.patch: limit vendor-specific area to
      input packet memory buffer in slirp/bootp.*, slirp/mbuf.*.
    - debian/patches/CVE-2021-3592-3.patch: check bootp_input buffer size
      in slirp/bootp.c.
    - debian/patches/CVE-2021-3592-4.patch: fix regression in dhcp in
      slirp/bootp.c.
    - CVE-2021-3592
  * SECURITY UPDATE: data leak in udp6_input()
    - debian/patches/CVE-2021-3593.patch: check udp6_input buffer size in
      slirp/udp6.c.
    - CVE-2021-3593
  * SECURITY UPDATE: data leak in udp_input()
    - debian/patches/CVE-2021-3594.patch: check upd_input buffer size in
      slirp/udp.c.
    - CVE-2021-3594
  * SECURITY UPDATE: data leak in tftp_input()
    - debian/patches/CVE-2021-3595-1.patch: check tftp_input buffer size in
      slirp/tftp.c.
    - debian/patches/CVE-2021-3595-2.patch: introduce a header structure in
      slirp/tftp.*.
    - CVE-2021-3595

 -- Marc Deslauriers <email address hidden> Tue, 13 Jul 2021 07:51:34 -0400

Source diff to previous version
CVE-2020-15469 In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-35504 A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to
CVE-2020-35505 A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while h
CVE-2021-3392 A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas
CVE-2021-3409 The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues pr
CVE-2021-3416 A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs
CVE-2021-3527 A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce th
CVE-2021-20221 An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64
CVE-2021-20257 net: e1000: infinite loop while processing transmit descriptors
CVE-2021-3592 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and c
CVE-2021-3593 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and co
CVE-2021-3594 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and cou
CVE-2021-3595 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and co

Version: 1:2.11+dfsg-1ubuntu7.36 2021-02-22 19:07:00 UTC

  qemu (1:2.11+dfsg-1ubuntu7.36) bionic-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions caused by CVE-2020-13754
    security update (LP: #1914883)
    - debian/patches/CVE-2020-13754-3.patch: log invalid memory accesses in
      memory.c.
    - debian/patches/CVE-2020-13754-5.patch: allow 64-bit accesses in
      hw/timer/slavio_timer.c.
    - debian/patches/CVE-2020-13754-6.patch: allow less than 32-bit
      accesses in hw/char/bcm2835_aux.c.
    - debian/patches/CVE-2020-13754-9.patch: fix valid.max_access_size to
      access address registers in hw/usb/hcd-xhci.c.

 -- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 08:37:38 -0500

1914883 hart0: trap handler failed (error -2) (Needs cherry-pick ab3d207f)
CVE-2020-13754 hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.



About   -   Send Feedback to @ubuntu_updates